List of Microsoft Azure provider outpost permissions for Cortex Cloud.
When onboarding Microsoft Azure outposts, Cortex Cloud creates an authentication template that requests the permissions needed for monitoring your cloud environment. Depending on which security capabilities you select in the onboarding wizard, different permissions are requested. The following tables are organized by the CSP permissions being requested as well as the purpose (and where relevant, the scope):
The following Azure roles are required for the Required base permissions module.
The following Azure permissions are granted by the Key Vault access policy role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Key Vault secrets: get / delete / list / purge / set | cortex-<keyvault> (Key Vault access policy) | Resource group | Outpost app registration SP | Key Vault access policy granting the orchestrator full secret lifecycle management for secrets used by the outpost (e.g. unmanaged registry credentials). |
The following Azure permissions are granted by the Storage Blob Data Contributor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Blob Data Contributor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: container '*bc-sc*' input/output paths] | Resource group | Outpost app registration SP | Built-in role granting read/write access to communication blob storage (input/output containers). Conditioned to '*bc-sc*' containers. |
The following Azure permissions are granted by the Storage Queue Data Message Processor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Queue Data Message Processor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: queue name like '*bc-sq*'] | Resource group | Outpost app registration SP | Built-in role granting read/process access to Storage Queue messages used for outpost event processing. Conditioned to queues matching '*bc-sq*'. |
The following Azure permissions are granted by the wo-role role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft.Compute/locations/usages/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View regional usage and quota limits for compute resources. Ensures the outpost deployment stays within the Azure subscription's limits. |
Microsoft.Compute/skus/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View available VM sizes (SKUs). Enables dynamic size selection for scanner or proxy VMs based on availability and requirements. |
Microsoft.Compute/virtualMachines/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete a scanner or proxy VM. Necessary for secure lifecycle management; cleans up temporary VMs after a security task is complete. |
Microsoft.Compute/virtualMachines/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View the properties of a scanner or proxy VM. Allows the system to verify status and configuration of the ephemeral VMs used for scanning. |
Microsoft.Compute/virtualMachines/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create a scanner or proxy VM. Core provisioning permission required to dynamically deploy ephemeral scanner or proxy VMs spun up to perform specific security tasks. |
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Assign a user-assigned managed identity to a resource. Facilitates secure, credential-less access by associating an identity with outpost resources, eliminating stored static credentials. |
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Attach a NIC IP configuration to an Application Security Group. Allows logical grouping of VMs for network security segmentation so scanner or proxy VMs inherit the correct security policies. |
Microsoft.Network/networkInterfaces/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete NICs. Critical for network security hygiene; cleans up temporary or unused network resources to prevent dangling resources. |
Microsoft.Network/networkInterfaces/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View NIC properties. Provides visibility into the network configuration of scanner and proxy VMs. |
Microsoft.Network/networkInterfaces/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create or update NICs. Required to configure the network for secure and isolated communication for scanner/proxy VMs. |
Microsoft.Network/networkSecurityGroups/join/action | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Associate NICs or subnets with a Network Security Group (NSG). Applies specific traffic-filtering rules to scanner resources so they operate within a secured network boundary. |
Microsoft.Network/virtualNetworks/subnets/join/action | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Attach NICs to a subnet. Places the scanner or proxy VM into the designated virtual network subnet so it operates within the defined network topology. |
Microsoft.Network/virtualNetworks/subnets/join/action | Customer-provided Virtual Network | Customer virtual network | Outpost app registration SP | Allows the scanner NIC to join the customer-supplied subnet, which lives outside the outpost resource group. The workload-orchestrator role is additionally assigned on the customer VNet to avoid 403 LinkedAuthorizationFailed. |
Microsoft.ResourceGraph/resources/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Query spot eviction history rates using Azure Resource Graph. Enables dynamic and cost-effective VM size selection by predicting spot instance stability. |
The following Azure roles are required for the ADS module.
The following Azure permissions are granted by the Storage Blob Data Contributor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Blob Data Contributor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: container '*bc-sc*' input/output paths] | Resource group | agentless (saas-outpost-id) managed identity | Built-in role granting the ADS/agentless scanner read/write access to communication blob storage (input/output containers). Conditioned to '*bc-sc*' containers. |
The following Azure permissions are granted by the wo-role role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft.Compute/disks/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete disks after scanning has finished. Critical for remediation and resource hygiene, preventing data exfiltration and reducing the attack surface; ensures temporary disks used during analysis do not remain as dangling resources. |
Microsoft.Compute/disks/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Retrieve disk metadata. Used to identify disk properties and states, such as detecting dangling disks, ensuring accurate inventory and assessment of storage resources within the environment. |
Microsoft.Compute/disks/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create a disk from a snapshot before attaching it to a workload. Essential for dynamic scanning and analysis without affecting the live environment; allows creation of a temporary disk copy to be analyzed securely by the scanner. |
The following Azure roles are required for the DSPM module.
The following Azure permissions are granted by the Key Vault access policy role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Key Vault secrets: get / list | cortex-<keyvault> (Key Vault access policy) | Resource group | dspm (dspm-outpost-id) managed identity | Key Vault access policy granting the DSPM scanner read access to secrets needed during data classification scans. |
The following Azure permissions are granted by the private-endpoint-role role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft.Network/operations/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View available network-related operations. Validates that requested network configurations (private endpoints) are compatible with the current Azure environment. |
Microsoft.Network/privateEndpoints/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete private endpoints. Critical for network security hygiene and resource cleanup; removes temporary network resources used for private scanning. |
Microsoft.Network/privateEndpoints/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | View private endpoint properties. Provides visibility into private connections to resources like storage accounts, ensuring data scanning occurs over secure, private channels. |
Microsoft.Network/privateEndpoints/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create or update private endpoints. Establishes secure, isolated connections to managed services without exposing traffic to the public internet. |
The following Azure permissions are granted by the Storage Blob Data Contributor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Blob Data Contributor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: container '*bc-sc*' input/output paths AND '*artifact*'] | Resource group | dspm (dspm-outpost-id) managed identity | Built-in role granting the DSPM scanner read/write access to communication blob storage and artifact containers. Conditioned to '*bc-sc*' and '*artifact*' containers. |
The following Azure permissions are granted by the wo-role role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft.Compute/disks/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete disks after scanning has finished. Critical for remediation and resource hygiene, preventing data exfiltration and reducing the attack surface; ensures temporary disks used during analysis do not remain as dangling resources. |
Microsoft.Compute/disks/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Retrieve disk metadata. Used to identify disk properties and states, such as detecting dangling disks, ensuring accurate inventory and assessment of storage resources within the environment. |
Microsoft.Compute/disks/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create a disk from a snapshot before attaching it to a workload. Essential for dynamic scanning and analysis without affecting the live environment; allows creation of a temporary disk copy to be analyzed securely by the scanner. |
The following Azure roles are required for the Registry module.
The following Azure permissions are granted by the Key Vault access policy role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Key Vault secrets: get / list | cortex-<keyvault> (Key Vault access policy) | Resource group | registry (registry-outpost-id) managed identity | Key Vault access policy granting the registry scanner read access to secrets (e.g. unmanaged registry credentials) needed during registry scans. |
The following Azure permissions are granted by the Storage Blob Data Contributor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Blob Data Contributor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: container '*bc-sc*' input/output paths] | Resource group | registry (registry-outpost-id) managed identity | Built-in role granting the registry scanner read/write access to communication blob storage (input/output containers). Conditioned to '*bc-sc*' containers. |
The following Azure roles are required for the Serverless module.
The following Azure permissions are granted by the Storage Blob Data Contributor role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Storage Blob Data Contributor (built-in) | cortex-<resources_sufix> (Resource Group) [Condition: container '*bc-sc*' input/output paths] | Resource group | serverless (serverless-outpost-id) managed identity | Built-in role granting the serverless scanner read/write access to communication blob storage (input/output containers). Conditioned to '*bc-sc*' containers. |
The following Azure roles are required for the Proxy module.
The following Azure permissions are granted by the wo-role role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft.Network/publicIPAddresses/delete | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Delete unused public IP addresses. Critical for network security hygiene and cost management; cleans up temporary public IPs used by proxy VMs. |
Microsoft.Network/publicIPAddresses/join/action | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Attach public IP addresses to the NIC of a proxy VM. Necessary for secure network configuration of the egress proxy. |
Microsoft.Network/publicIPAddresses/read | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | List existing static public IP addresses. Identifies available IPs that can be used by proxy VMs for egress traffic. |
Microsoft.Network/publicIPAddresses/write | cortex-<resources_sufix> (Resource Group) | Resource group | Outpost app registration SP | Create or update public IP addresses. Provisions necessary public entry/exit points for the isolated environment's communication needs (proxy VMs). |
The following Azure roles are required for the Graph Application Integration module.
The following Azure permissions are granted by the Microsoft Graph application permission role.
Permission | Assigned To (Component) | Applies To (Scope) | Principal (Identity) | Description |
|---|---|---|---|---|
Microsoft Graph Application.Read.All | Monitored Azure Tenant (Admin Consent) | Azure tenant | Outpost app registration (application) | Microsoft Graph application permission enabling the "Microsoft Graph Application" integration for asset discovery and risk management. Requested at onboarding and activated during Admin Consent. |